When you are setting up Access Control and writing a permissions policy that you can attach to an IAM identity (identity-based policies), you can use the following as a reference. The each CloudFront API operation, the corresponding actions for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field, and you specify the resource value in the policy's Resource field.
You can use AWS-wide condition keys in your CloudFront policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.
Topics
- Required Permissions for Actions on Web Distributions
- Required Permissions for Actions on RTMP Distributions
- Required Permissions for Actions on Invalidations
- Required Permissions for Actions on Origin Access Identities
- Required Permissions for CloudFront Actions Related to Lambda@Edge
- Required Permissions for Actions on Tags
CreateDistribution
Required Permissions (API Action):
cloudfront:CreateDistributionacm:ListCertificates(CloudFront console only)- Only if you configure CloudFront to save access logs:
s3:GetBucketAcls3:PutBucketAcl- The S3 ACL for the bucket must grant you
FULL_CONTROLResources:
- CloudFront: *
- ACM: *
- Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
CreateDistributionWithTags
Required Permissions (API Action):
cloudfront:CreateDistribution,cloudfront:TagResourceacm:ListCertificates(CloudFront console only)- Only if you configure CloudFront to save access logs:
s3:GetBucketAcls3:PutBucketAcl- The S3 ACL for the bucket must grant you
FULL_CONTROLResources:
- CloudFront: *
- ACM: *
- Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
GetDistribution
Required Permissions (API Action): cloudfront:GetDistribution, acm:ListCertificates (CloudFront console only)
Resources: *
GetDistributionConfig
Required Permissions (API Action): cloudfront:GetDistributionConfig, acm:ListCertificates (CloudFront console only)
Resources: *
ListDistributions
Required Permissions (API Action): cloudfront:ListDistributions
Resources: *
UpdateDistribution
Required Permissions (API Action):
cloudfront:UpdateDistributionacm:ListCertificates(CloudFront console only)- Only if you configure CloudFront to save access logs:
s3:GetBucketAcls3:PutBucketAcl- The S3 ACL for the bucket must grant you
FULL_CONTROLResources:
- CloudFront: *
- ACM: *
- Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
DeleteDistribution
Required Permissions (API Action): cloudfront:DeleteDistribution
Resources: *
CreateStreamingDistribution
Required Permissions (API Action): cloudfront:CreateStreamingDistribution
Only if you configure CloudFront to save access logs:
s3:GetBucketAcls3:PutBucketAcl- The S3 ACL for the bucket must grant you
FULL_CONTROLResources:*
If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
CreateStreamingDistributionWithTags
Required Permissions (API Action): cloudfront:CreateStreamingDistribution, cloudfront:TagResource
Only if you configure CloudFront to save access logs:
s3:GetBucketAcls3:PutBucketAcl- The S3 ACL for the bucket must grant you
FULL_CONTROLResources:*
If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
GetStreamingDistribution
Required Permissions (API Action): cloudfront:GetStreamingDistribution
Resources: *
GetStreamingDistributionConfig
Required Permissions (API Action): cloudfront:GetStreamingDistributionConfig
Resources: *
ListStreamingDistributions
Required Permissions (API Action): cloudfront:ListStreamingDistributions
Resources: *
UpdateStreamingDistribution
Required Permissions (API Action): cloudfront:UpdateStreamingDistribution
Only if you configure CloudFront to save access logs:
s3:GetBucketAcls3:PutBucketAcl- The S3 ACL for the bucket must grant you
FULL_CONTROLResources:*
If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
DeleteStreamingDistribution
Required Permissions (API Action): cloudfront:DeleteDistribution
Resources: *
CreateInvalidation
Required Permissions (API Action): cloudfront:CreateInvalidation
Resources: *
GetInvalidation
Required Permissions (API Action): cloudfront:GetInvalidation
Resources: *
ListInvalidations
Required Permissions (API Action): cloudfront:ListInvalidations
Resources: *
CreateCloudFrontOriginAccessIdentity
Required Permissions (API Action): cloudfront:CreateCloudFrontOriginAccessIdentity
Resources: *
GetCloudFrontOriginAccessIdentity
Required Permissions (API Action): cloudfront:GetCloudFrontOriginAccessIdentity
Resources: *
GetCloudFrontOriginAccessIdentityConfig
Required Permissions (API Action): cloudfront:GetCloudFrontOriginAccessIdentityConfig
Resources: *
ListCloudFrontOriginAccessIdentities
Required Permissions (API Action): cloudfront:ListDistributions
Resources: *
UpdateCloudFrontOriginAccessIdentity
Required Permissions (API Action): cloudfront:UpdateCloudFrontOriginAccessIdentity
Resources: *
DeleteCloudFrontOriginAccessIdentity
Required Permissions (API Action): cloudfront:DeleteCloudFrontOriginAccessIdentity
Resources: *
To use Lambda@Edge, you need the following CloudFront permissions so you can create or update a distribution that includes triggers for Lambda functions. For information about the Lambda permissions that you need, see Setting IAM Permissions in the "AWS Lambda@Edge" chapter in the AWS Lambda Developer Guide.
CreateDistribution
Required Permissions (API Action):
cloudfront:CreateDistributionacm:ListCertificates(CloudFront console only)- Only if you configure CloudFront to save access logs:
s3:GetBucketAcls3:PutBucketAcl- The S3 ACL for the bucket must grant you
FULL_CONTROLResources:
- CloudFront: *
- ACM: *
- Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
CreateDistributionWithTags
Required Permissions (API Action):
cloudfront:CreateDistribution,cloudfront:TagResourceacm:ListCertificates(CloudFront console only)- Only if you configure CloudFront to save access logs:
s3:GetBucketAcls3:PutBucketAcl- The S3 ACL for the bucket must grant you
FULL_CONTROLResources:
- CloudFront: *
- ACM: *
- Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
UpdateDistribution
Required Permissions (API Action):
cloudfront:UpdateDistributionacm:ListCertificates(CloudFront console only)- Only if you configure CloudFront to save access logs:
s3:GetBucketAcls3:PutBucketAcl- The S3 ACL for the bucket must grant you
FULL_CONTROLResources:
- CloudFront: *
- ACM: *
- Amazon S3: If you configure CloudFront to save access logs, you can optionally restrict access to a specified bucket.
TagResource
Required Permissions (API Action): cloudfront:TagResource
Resources: *
UntagResource
Required Permissions (API Action): cloudfront:UntagResource
Resources: *
ListTagsForResource
Required Permissions (API Action): cloudfront:ListTagsForResource
Resources: *